b'Pension Benefit Guaranty Corporation\n      Office of Inspector General\n            Audit Report\n\n\n\n\n            Fiscal Year 2001\n       Financial Statement Audit \xe2\x80\x93\n           Management Letter\n\n\n\n\n            August 29, 2002\n                                     2002-6/23157-5\n\x0c                            Fiscal Year 2001 Financial Statement Audit\n                                     Management Letter Report\n\n                                     Audit Report 2002-6/23157-5\n\n                                     TABLE OF CONTENTS\nExecutive Summary ------------------------------------------------------------------------ i\n\nManagement Response and OIG Evaluation -------------------------------------------v\n\nIntroduction -------------------------------------------------------------------------------- 1\n\nAudit Objectives---------------------------------------------------------------------------- 1\n\nScope and Methodology ------------------------------------------------------------------- 2\n\nAudit Results ------------------------------------------------------------------------------- 2\n\nCurrent Year Findings and Recommendations---------------------------------------- 5\n\nAgency Comments ------------------------------------------------------------------ TAB A\n\n                                             ABBREVIATIONS\n\nERISA                    Employee Retirement Income Security Act\nFBA                      Field Benefit Administrator\nFY                       Fiscal Year\nGAB                      General Accounting Branch\nIOD                      Insurance Operations Department\nIPVFB                    Integrated Present Value of Future Benefits\nIRMD                     Information Resources Management Department\nIPS                      Image Processing System\nNIST                     National Institute of Standards and Technology\nNRFFA                    Non-recoverable Future Financial Assistance\nOIG                      Office of Inspector General\nOMB                      Office of Management and Budget\nPAS                      Premium Accounting System\nPBGC                     Pension Benefit Guaranty Corporation\nPRISM                    Participant Records Information Systems Management\nPVFB                     Present Value Future Benefits\nRA                       Reconciliation Administrator\nSDLC                     Systems Development Life Cycle\nSOA                      Statement of Accounts\nSOR                      Significant Occurrences Report\nSSB                      State Street Bank\nTP                       Technical Procedure\n\n                                                                                     2002-6/23157-5\n\x0c                        Fiscal Year 2001 Financial Statement Audit\n                                 Management Letter Report\n                           Audit Report Number 2002-6/23157-5\n\n                                   EXECUTIVE SUMMARY\n\nThe Office of Inspector General (OIG) of the Pension Benefit Guaranty Corporation (PBGC or\nthe Corporation) engaged PricewaterhouseCoopers LLP (PricewaterhouseCoopers) to conduct\nan audit of the financial statements of the Single-Employer Program and Multiemployer\nProgram Funds administered by PBGC, as of and for the years ended September 30, 2001 and\nSeptember 30, 2000. Our audits were performed in accordance with standards established by\nthe American Institute of Certified Public Accountants (AICPA) in the United States of America,\nGovernment Auditing Standards, and pursuant to the methodology set forth by the United\nStates General Accounting Office\xe2\x80\x99s (GAO) Financial Audit Manual (FAM). Those standards\nrequire that we plan and perform the audit to obtain reasonable assurance about whether the\nfinancial statements are free of material misstatement.\n\n   As a result of our FY 2001 audit, we issued the following reports:\n\n   \xe2\x80\xa2   an unqualified opinion on PBGC\xe2\x80\x99s statements of financial condition, and the\n       related statements of operations and changes in net position and statements of\n       cash flows, as of and for the years ended September 30, 2001, and September 30,\n       2000 (OIG report number 2002-3/23157-2);\n\n   \xe2\x80\xa2   a report on PBGC\xe2\x80\x99s compliance with laws and regulations that noted no instances\n       of non-compliance with the provisions tested (OIG report number 2002-3/23157-\n       2); and\n\n   \xe2\x80\xa2   a report on internal control that identified three recurring reportable conditions\n       (OIG report number 2002-3/23157-2). These reportable conditions were not\n       deemed to be material weaknesses as defined by standards established by the\n       AICPA in the United States of America.\n\nOur FY 2001 report on internal control included two reportable conditions that were carried\nforward from FY 2000. Additionally, this reportable condition was reported in FYs 1996\nthrough 1999. The first reportable condition related to the lack of integration of the\nCorporation\xe2\x80\x99s financial management systems, including the need for an adequate Systems\nDevelopment Life Cycle (SDLC) methodology and the need for adequate systems development\nmonitoring and oversight of third party contractors employed by PBGC. During FY 2001, we\nnoted PBGC successfully completed developing and documenting major portions of the SDLC\nmethodology. However, additional work is required to integrate PBGC\xe2\x80\x99s financial management\nsystems, implement the formal SDLC corporate-wide, and identify, document and follow\nspecific criteria to allow the Corporation to effectively monitor systems outsourcing.\n\n\n\n\n                                                i\n\n                                                                              2002-6/23157-5\n\x0cThe second reportable condition that was carried forward from FY 2000 related to the need to\nfurther develop, implement and test an adequate plan for maintaining continuity of operations.\nAdditionally, this reportable condition was reported in FYs 1999 and 1998. During FY 2001,\nPBGC made notable progress by improving its disaster recovery and business continuity plans.\nHowever, our FY 2001 audit still identified a number of deficiencies that would impair PBGC\xe2\x80\x99s\nability to respond effectively to a disruption in business operations.\n\nIn addition to the reportable conditions specified above, we identified a number of internal\ncontrol weaknesses that, although not considered material weaknesses or reportable\nconditions, we believe warrant the attention of management. Specifically, in FY 2001, we\ndowngraded the third reportable condition on the need to implement and improve controls\nsurrounding the Participant Records Information Systems Management (PRISM) from the FY\n2000 internal control report to a management letter finding in FY 2001. Although PBGC made\nsubstantial improvement in designing and implementing control procedures related to PRISM\noperations, further strengthening of controls is needed.\n\nThis management report presents 16 findings with 24 recommendations for improvements in\nthe Corporation\xe2\x80\x99s internal control that were identified during our audit of the FY 2001 financial\nstatements.\n\n\n\n\n                                                ii\n\n                                                                              2002-6/23157-5\n\x0cFindings                          Summary of Recommendations                                   Page\n\n   1       Develop a system to specifically identify limitation administrative expenses and     7\n           develop fiscal year budgets using the specific identification methods. (BD-2)\n\n   1        Provide documentation to support the accuracy of the allocation ratio and the       7\n           propriety of designating administrative expenses as not being subject to\n           limitation as defined in the appropriation law. (BD-3)\n\n  2.1       Enforce PRISM Trial Balance Reconciliation review procedures in TP 11.1.            9\n           (IOD-202)\n\n  2.1       Amend PRISM Trial Balance Reconciliation review procedures in TP 11.1 to            9\n           establish a timetable to review variances in the PRISM Trial Balance\n           Reconciliation. (IOD-203)\n\n  2.1       Amend PRISM Trial Balance Reconciliation review procedures in TP 11.1 to            9\n           require that the reconciliations be imaged in IPS after supervisory review. (IOD-\n           204)\n\n  2.2       Document a review procedure of PRISM Balancer Module reconciliations and           10\n           unify the reconciliation documentation requirements by defining which print\n           screens to keep as evidence of final resolution of the discrepancy, and what\n           areas need to be completed in the summary sheets for management review.\n           (IOD-205)\n\n  2.2       Establish monitoring criteria for PRISM Balancer Reconciliatons by defining the    10\n           types of discrepancies that should be \xe2\x80\x9cflagged\xe2\x80\x9d by the staff and brought to\n           management\xe2\x80\x99s attention for follow-up action. (IOD-206)\n\n  2.3       Amend TP 30.1 to include deadlines for completion of the monthly                   10\n           reconciliations and to require supervisory review and approval. (IOD-207)\n\n   3       Implement monthly procedures to submit a list of inactive participants to the       11\n           PRISM team before the month-end cut-off to update the pay status to inactive\n           and to verify that the submitted changes were made (IOD-208)\n\n   4        Modify TP 12.7 and 12.8 to require that the audit working papers be imaged,        12\n           including the sample selected, the database associated with the sample, all\n           sources used to test the sample and the errors found in the sample. (IOD-209)\n\n\n\n\n                                              iii\n\n                                                                             2002-6/23157-5\n\x0cFindings                          Summary of Recommendations                                    Page\n\n  5.1      Strengthen compliance with premium refund timeliness goals. (FOD-289)                12\n\n  5.2      Adopt a methodology for the premiums receivable allowance calculation and            13\n           apply it consistently each year. (FOD-290)\n\n  6.1      Develop and document specific policies and procedures to perform risk                14\n           assessments of business systems as required by OMB. (CTO-1)\n\n  6.1      Implement the established policies and procedures for completing risk                14\n           assessments to comply with OMB requirements. (CTO-2)\n\n  6.2      Improve the information security structure to provide for enhanced responsibility    15\n           and accountability. (IRMD-131)\n\n  6.3       Develop and document policies and procedures for the performance of periodic        16\n           recertifications of PBGC systems\xe2\x80\x99 user accounts. (IRMD-132)\n\n  6.3      Implement periodic re-certifications of PBGC systems\xe2\x80\x99 user accounts.        (IRMD-   16\n           133)\n\n  6.4       Establish monitoring procedures to enforce compliance with existing change          17\n           control policies, procedures, and standards. (IRMD-134)\n\n  7.1       For cases with data sources more than five years old, implement a procedure to      17\n           determine whether 1) an updated data source would provide a more accurate\n           estimate of the NRFFA liability and 2) a valuation is available or can be\n           completed without a significant burden on resources. (IOD-210)\n\n  7.2      Revise the Controller Division Consolidated Procedures Manual to require that        18\n           the promissory notes and financial assistance disbursement documents are\n           timely placed in the General Accounting Branch vault, and sign-out logs are\n           periodically reviewed to ensure documents are returned timely. (FOD-291)\n\n  8.1       Provide the appropriate training to PBGC management and employees to                19\n           understand derivatives transactions, account for them properly, and disclose\n           them properly in the financial statements. (FOD-292)\n\n  8.1       Actively monitor derivatives activity by monitoring SSB\xe2\x80\x99s accounting and            19\n           reporting activities. (FOD-293)\n\n  8.1      Reconcile SSB and the investment managers\xe2\x80\x99 derivative inventories and                19\n           positions monthly. (FOD-294)\n\n  8.2      PBGC\xe2\x80\x99s Board of directors should review and approve PBGC\xe2\x80\x99s investment policy         20\n           once every two years. (FOD-295)\n\n\n                                              iv\n\n                                                                            2002-6/23157-5\n\x0cMANAGEMENT RESPONSE AND OIG EVALUATION\n\n       PBGC management was provided a draft copy of this report for review and comment. In\naddition, we met with PBGC officials to discuss the findings and recommendations. After these\ndiscussions, the OIG removed one finding from the draft report relating to lack of a formal\ninvestment strategy. With respect to the formal investment strategy, PBGC management\nprovided additional data showing that a investment strategy is in place.\n\n       We have reviewed PBGC\xe2\x80\x99s comments to this Report. PBGC management commented on\nand agreed with the findings and recommendations in this final report. Their comments can\nbe found at Tab A.\n\n\n\n\n                                              v\n\n                                                                          2002-6/23157-5\n\x0c                        Fiscal Year 2001 Financial Statement Audit\n                                 Management Letter Report\n\n                               Audit Report (2002-6/23157-5)\n\n\nIntroduction\n\nAs a government corporation created by Title IV of the Employee Retirement Income Security\nAct of 1974 (ERISA), as amended, the Pension Benefit Guaranty Corporation (PBGC or the\nCorporation) protects the pensions of more than 44 million Americans in approximately 35,000\nprivate defined benefit pension plans, including about 1,700 multiemployer plans. PBGC\xe2\x80\x99s\nmission is to operate as a service-oriented, professionally managed agency that protects\nparticipants\xe2\x80\x99 benefits and supports a healthy retirement plan system by: (1) encouraging the\ncontinuation and maintenance of private pension plans for the benefit of their participants; (2)\nproviding timely payments of benefits in the case of terminated pension plans; and (3) making\nthe maximum use of resources and maintaining premiums and operating costs at the lowest\nlevels consistent with statutory responsibilities. PBGC finances its operations through\npremiums collected from covered plans, assets assumed from terminated plans, collection of\nemployer liability payments due under ERISA, as amended, and investment income.\n\n\n\nAudit Objectives\n\nThe objectives of our audit were to determine whether:\n\n   \xe2\x80\xa2   The financial statements present fairly, in all material respects, the financial position of\n       the Single-Employer and Multiemployer Program Funds administered by PBGC as of\n       September 30, 2001, and September 30, 2000, and the results of their operations and\n       cash flows for the years then ended, in conformity with accounting principles generally\n       accepted in the United States of America.\n\n   \xe2\x80\xa2   Management\xe2\x80\x99s assertion that PBGC\xe2\x80\x99s management controls in effect as of September 30,\n       2001, provided reasonable assurance that assets were safeguarded from material loss\n       and transactions were executed in accordance with management\xe2\x80\x99s authority and with\n       significant provisions of selected laws and regulations, and furthermore, PBGC\n       management controls provided reasonable assurance that transactions were properly\n       recorded, processed, and summarized to permit the preparation of the financial\n       statements in accordance with accounting principles generally accepted in the United\n       States of America and to maintain accountability for assets among funds is fairly stated,\n       in all material respects, based upon criteria contained in the Federal Managers\xe2\x80\x99\n       Financial Integrity Act of 1982 (FMFIA). This assertion is included in the Management\xe2\x80\x99s\n       Discussion and Analysis of Financial Condition and Results of Operations section of\n       PBGC\xe2\x80\x99s Fiscal Year (FY) 2001 Annual Report to the Congress.\n\n   \xe2\x80\xa2   PBGC is in compliance with significant provisions of applicable laws and regulations.\n\n\n                                                1\n\n                                                                                    2002-6/23157-5\n\x0cScope and Methodology\n\nThe Office of Inspector General (OIG) of PBGC engaged PricewaterhouseCoopers LLP to\nconduct an audit of the financial statements of the Single-Employer Program and\nMultiemployer Program Funds administered by PBGC as of and for the years ended September\n30, 2001, and September 30, 2000.\n\nOur audits were performed in accordance with standards established by the American Institute\nof Certified Public Accountants (AICPA) in the United States of America, Government Auditing\nStandards, and pursuant to the methodology set forth by the United States General Accounting\nOffice\xe2\x80\x99s (GAO) Financial Audit Manual (FAM). Those standards require that we plan and\nperform the audit to obtain reasonable assurance about whether the financial statements are\nfree of material misstatement.\n\nWe performed tests of the accounting records and such other auditing procedures, as we\nconsidered necessary in the circumstances. This involved performing tests at PBGC, State\nStreet Bank (SSB), two investment manager sites, and two Field Benefit Administrator (FBA)\nsites. We did not perform tests related to standard terminations or other areas since such\nevents did not have a direct and material effect on the financial statements.\n\n\n\nAudit Results\n\nAs a result of our FY 2001 audit, we issued the following reports:\n\n       1. An unqualified opinion on PBGC\xe2\x80\x99s statements of financial condition, and the related\n          statements of operations and changes in net position and statements of cash flows,\n          as of and for the years ended September 30, 2001, and September 30, 2000 (OIG\n          Report 2002-3/23157-2);\n\n       2. A report on PBGC\xe2\x80\x99s compliance with laws and regulations that noted no instances\n          of non-compliance with the provisions tested (OIG Report 2002-3/23157-2); and\n\n       3. A report on internal control that identified two recurring reportable conditions (OIG\n          Report 2002-3/23157-2). These reportable conditions were not deemed to be\n          material weaknesses as defined by standards established by AICPA in the United\n          States of America.\n\nOur FY 2001 report on internal control included two reportable conditions that were carried\nforward from FY 2000. Additionally, this reportable condition was reported in FYs 1996\nthrough 1999. The first reportable condition related to the lack of integration of the\nCorporation\xe2\x80\x99s financial management systems, including the need for an adequate Systems\nDevelopment Life Cycle (SDLC) methodology and the need for adequate systems development\nmonitoring and oversight of third party contractors employed by PBGC. During FY 2001, we\nnoted PBGC successfully completed developing and documenting major portions of the SDLC\nmethodology. However, additional work is required to integrate PBGC\xe2\x80\x99s financial management\n\n\n                                               2\n\n                                                                                 2002-6/23157-5\n\x0csystems, implement the formal SDLC corporate-wide, and identify, document and follow\nspecific criteria to allow the Corporation to effectively monitor systems outsourcing.\n\nThe second reportable condition that was carried forward from FY 2000 related to the need to\nfurther develop, implement and test an adequate plan for maintaining continuity of operations.\nAdditionally, this reportable condition was reported in FYs 1999 and 1998. During FY 2001,\nPBGC made notable progress by improving its disaster recovery and business continuity plans.\nHowever, our FY 2001 audit still identified a number of deficiencies that would impair PBGC\xe2\x80\x99s\nability to respond effectively to a disruption in business operations.\n\nIn addition to the reportable conditions specified above, we identified a number of internal\ncontrol weaknesses that, although not considered material weaknesses or reportable\nconditions, we believe warrant the attention of management. Specifically, in FY 2001, we\ndowngraded the third reportable condition on the need to implement and improve controls\nsurrounding the Participant Records Information Systems Management (PRISM) from the FY\n2000 internal control report to a management letter finding in FY 2001. Although PBGC made\nsubstantial improvement in designing and implementing control procedures related to PRISM\noperations, further strengthening of controls is needed. Specifically, PBGC needs to address or\ncomplete the following recommendations that have in the past supported the PRISM reportable\ncondition and still remain open as a result of FY 2001 audit work:\n          \xe2\x80\xa2   Perform an analysis of data integrity within the PRISM database and develop a\n              formal corrective action plan; (OIG Control Number IOD-151)\n          \xe2\x80\xa2   Analyze and improve system edits and processing controls within PRISM to\n              minimize erroneous data input and data processing. Design and place in\n              operation an exception reporting mechanism to mitigate the risk of\n              unauthorized transactions processing; (OIG Control Number IOD-152)\n          \xe2\x80\xa2   Enforce existing IOD policies and procedures requiring that participants\xe2\x80\x99 files\n              contain complete information critical for the benefit payments and the PVFB\n              liability calculation; (OIG Control Number IOD-169)\n          \xe2\x80\xa2   Enforce policies and procedures that require participants\' records in PRISM\n              contain information that is adequately supported in IPS; (OIG Control Number\n              IOD-172)\n          \xe2\x80\xa2   Delete invalid duplicate participant records in PRISM and implement necessary\n              controls to prevent the creation of duplicate records in future processing; (OIG\n              Control Number IOD-175)\n          \xe2\x80\xa2   Reassess the level of access to the PBGC\xe2\x80\x99s paying agent Payment and Ledger\n              files that is given to the Management Information Specialist. The PBGC\xe2\x80\x99s paying\n              agent files should not be directly modified using SQL queries and any changes\n              made to the PBGC\xe2\x80\x99s paying agent files should be re-submitted for authorization;\n              (OIG Control Number IOD-193)\n          \xe2\x80\xa2   Add additional integrity checks to verify the integrity of the data received by\n              PBGC\xe2\x80\x99s paying agent; (OIG Control Number IOD-194)\n\n\n\n\n                                               3\n\n                                                                                  2002-6/23157-5\n\x0c           \xe2\x80\xa2   Changes to the information used to process customer payments should be\n               authorized before being sent to PBGC\xe2\x80\x99s paying agent or at a minimum it should\n               be logged and reviewed regularly; (OIG Control Number IOD-195)\n           \xe2\x80\xa2   Changes made by the Data Working Group should be sent back for re-\n               authorization; (OIG Control Number IOD-196)\n           \xe2\x80\xa2   Reassess use of the Authorizer Administration inclusion function. This\n               functionality should be limited to special usage, logged and reviewed by PBGC\n               management; (OIG Control Number IOD-197)\n           \xe2\x80\xa2   Segregate duties of individuals processing PBGC\xe2\x80\x99s paying agent payments and\n               PBGC\xe2\x80\x99s paying agent ledger files; and (OIG Control Number IOD-198)\n           \xe2\x80\xa2   Independently review changes made by the Document Management Center\n               supervisor before they are submitted to OASD. (OIG Control Number IOD-199)\n\n\nFindings and Recommendations\n\nThis report contains 16 findings, resulting in 24 recommendations that PBGC should implement\nto strengthen the Corporation\xe2\x80\x99s internal control. The remainder of this report is comprised of the\nfollowing:\n\n       \xe2\x80\xa2   A table listing our current year recommendations (pages 5-6).\n\n       \xe2\x80\xa2   A discussion of each current year finding and corresponding recommendation(s)\n           (pages 7-20).\n\n\n\n\n                                               4\n\n                                                                                 2002-6/23157-5\n\x0cFindings                          Summary of Recommendations                                   Page\n\n   1       Develop a system to specifically identify limitation administrative expenses and        7\n           develop fiscal year budgets using the specific identification methods. (BD-2)\n\n   1        Provide documentation to support the accuracy of the allocation ratio and the          7\n           propriety of designating administrative expenses as not being subject to\n           limitation as defined in the appropriation law. (BD-3)\n\n  2.1       Enforce PRISM Trial Balance Reconciliation review procedures in TP 11.1.               9\n           (IOD-202)\n\n  2.1       Amend PRISM Trial Balance Reconciliation review procedures in TP 11.1 to               9\n           establish a timetable to review variances in the PRISM Trial Balance\n           Reconciliation. (IOD-203)\n\n  2.1       Amend PRISM Trial Balance Reconciliation review procedures in TP 11.1 to               9\n           require that the reconciliations be imaged in IPS after supervisory review. (IOD-\n           204)\n\n  2.2       Document a review procedure of PRISM Balancer Module reconciliations and               10\n           unify the reconciliation documentation requirements by defining which print\n           screens to keep as evidence of final resolution of the discrepancy, and what\n           areas need to be completed in the summary sheets for management review.\n           (IOD-205)\n\n  2.2       Establish monitoring criteria for PRISM Balancer Reconciliatons by defining the        10\n           types of discrepancies that should be \xe2\x80\x9cflagged\xe2\x80\x9d by the staff and brought to\n           management\xe2\x80\x99s attention for follow-up action. (IOD-206)\n\n  2.3       Amend TP 30.1 to include deadlines for completion of the monthly                       10\n           reconciliations and to require supervisory review and approval. (IOD-207)\n\n   3       Implement monthly procedures to submit a list of inactive participants to the           11\n           PRISM team before the month-end cut-off to update the pay status to inactive\n           and to verify that the submitted changes were made. (IOD-208)\n\n   4        Modify TP 12.7 and 12.8 to require that the audit working papers be imaged,            12\n           including the sample selected, the database associated with the sample, all\n           sources used to test the sample and the errors found in the sample. (IOD-209)\n\n\n\n\n                                              5\n\n                                                                                  2002-6/23157-5\n\x0cFindings                          Summary of Recommendations                                    Page\n\n  5.1      Strengthen compliance with premium refund timeliness goals. (FOD-289)                   12\n\n  5.2      Adopt a methodology for the premiums receivable allowance calculation and               13\n           apply it consistently each year. (FOD-290)\n\n  6.1      Develop and document specific policies and procedures to perform risk                   14\n           assessments of business systems as required by OMB. (CTO-1)\n\n  6.1      Implement the established policies and procedures for completing risk                   14\n           assessments to comply with OMB requirements. (CTO-2)\n\n  6.2      Improve the information security structure to provide for enhanced responsibility       15\n           and accountability. (IRMD-131)\n\n  6.3       Develop and document policies and procedures for the performance of periodic           16\n           recertifications of PBGC systems\xe2\x80\x99 user accounts. (IRMD-132)\n\n  6.3      Implement periodic re-certifications of PBGC systems\xe2\x80\x99 user accounts.        (IRMD-      16\n           133)\n\n  6.4       Establish monitoring procedures to enforce compliance with existing change             17\n           control policies, procedures, and standards. (IRMD-134)\n\n  7.1       For cases with data sources more than five years old, implement a procedure to         17\n           determine whether 1) an updated data source would provide a more accurate\n           estimate of the NRFFA liability and 2) a valuation is available or can be\n           completed without a significant burden on resources. (IOD-210)\n\n  7.2      Revise the Controller Division Consolidated Procedures Manual to require that           18\n           the promissory notes and financial assistance disbursement documents are\n           timely placed in the General Accounting Branch vault, and sign-out logs are\n           periodically reviewed to ensure documents are returned timely. (FOD-291)\n\n  8.1       Provide the appropriate training to PBGC management and employees to                   19\n           understand derivatives transactions, account for them properly, and disclose\n           them properly in the financial statements. (FOD-292)\n\n  8.1       Actively monitor derivatives activity by monitoring SSB\xe2\x80\x99s accounting and               19\n           reporting activities. (FOD-293)\n\n  8.1      Reconcile SSB and the investment managers\xe2\x80\x99 derivative inventories and                   19\n           positions monthly. (FOD-294)\n\n  8.2      PBGC\xe2\x80\x99s Board of directors should review and approve PBGC\xe2\x80\x99s investment policy            20\n           once every two years. (FOD-295)\n\n\n\n                                              6\n\n                                                                                  2002-6/23157-5\n\x0c1.       Classification of administrative expenses\n         not properly supported.\n\nIn the Consolidated Appropriations-2001 Act (Public Law 106-554), PBGC was required to limit\nadministrative expenses in FY 2001 to $11,652,000. This law does not define what types of\nexpenses are considered administrative and therefore subject to limitation. It does, however,\nidentify the types of expenses that are \xe2\x80\x9cconsidered as non-administrative expenses for the\npurposes hereof, and excluded from the above limitation.\xe2\x80\x9d These excluded expenses, referred\nto as \xe2\x80\x9cnon-limitation,\xe2\x80\x9d are defined as expenses relating to:\n\n     \xe2\x80\xa2   Termination of pension plans;\n\n     \xe2\x80\xa2   Acquisition, protection, management or investment of trust assets; and\n\n     \xe2\x80\xa2   Benefits administration services.\n\nIn FY 2001, PBGC budgeted $41 million in administrative (limitation) expenses and $147\nmillion in non-limitation expenses. In order to meet the Congressional cap on limitation\nexpenses, PBGC applied a ratio to allocate a portion of the $41 million to non-limitation\nexpenses. During our FY 2001 testing, we noted no documented support that the amounts\nallocated to non-limitation expenses through application of this ratio met the definition of non-\nlimitation expenses.\n\nThe policies related to the Corporation\xe2\x80\x99s determination of which administrative expenses are\nlimitation or non-limitation expenses may be improper or inadequate. If reviewed on an\nindividual expense basis, the cumulative total of these administrative expenses may exceed\nCongressional limitation.\n\n\n\n                                         Recommendations\n\nWe recommend the following corrective actions:\n\n         Develop a system to specifically identify limitation administrative expenses and\n         develop fiscal year budgets using the specific identification methods. (BD-2)\n\n         Provide documentation to support the accuracy of the allocation ratio and the\n         propriety of designating administrative expenses as not being subject to limitation\n         as defined in the appropriation law. (BD-3)\n\n\n\n\n                                                  7\n\n                                                                                      2002-6/23157-5\n\x0c2. PRISM Reconciliations Need Improvement.\n\nPRISM is an integrated information system developed to support PBGC in administering\npension plan customers. PRISM also provides an automated interface with State Street Bank\nfor benefit payment information. In our testing of PRISM, we noted several instances in which\nrequired reconciliations were not performed timely, evidence to support reconciliation of the\nvariance was not maintained, and supervisory review was not documented.\n\n\n\n2.1       PRISM Trial Balance Reconciliation not\n          properly maintained and reviewed.\n\nState Street Bank (SSB) is PBGC\xe2\x80\x99s paying agent for benefit payments to participants. Before\nthe payments (checks and automatic deposits) are released by SSB, the PRISM Trial Balance\nReconciliation (Trial Balancer) module compares the authorized benefit payment information\nPBGC provides to SSB with the payment file created by SSB to identify discrepancies. During\nour FY 2001 testing of the PRISM Trial Balancer process, we noted that the Reconciliation\nAdministrator (RA) is not properly maintaining supporting documentation, including e-mail\nmessages sent out by the Information Resources Management Department (IRMD) for each\nvariance noted during the reconciliation process. We also noted that the RA is not timely\nreviewing and processing the resolutions.\n\nPer PBGC Technical Procedure (TP) 11.1, the RA is responsible for:\n\n      \xe2\x80\xa2   maintaining records of e-mails sent out by IRMD regarding the variances for tracking\n          purposes;\n\n      \xe2\x80\xa2   maintaining the \xe2\x80\x9cReconcile Screen\xe2\x80\x9d for variances and updating it with the error\n          correction and variance resolution codes upon receipt of the completed Trial Balance\n          Variance Reports from the Trusteeship Processing Divisions (TPDs)/Field Benefit\n          Administrators (FBAs); and\n\n      \xe2\x80\xa2   sending completed Trial Balance Variance Reports and any attachments to the\n          Document Management Center for imaging to the payee\'s files in the Image Processing\n          System (IPS) after entering the resolution codes in PRISM Trial Balance.\n\nThe RA stated that it is impractical to maintain the e-mail messages sent out by the IRMD due\nto computer storage space limitations. In addition, the RA stated that time limitations have\nprevented him from reviewing the resolutions, updating the resolution codes on the Variance\nReport, and sending the reports to be imaged in IPS.\n\nThe RA should analyze the summary Trial Balancer report, identify critical errors that are high\npriority and immediately take corrective action. This will allow PBGC to take full advantage of\nthe Trial Balancer capabilities to catch and correct errors before checks are issued, thus\npreventing after-the-fact recoupment efforts. Failure to adhere to processing and review\nprocedures is a control weakness and can hinder the efficiency and effectiveness of\nmanagement operations and review processes.\n\n\n                                                 8\n\n                                                                                  2002-6/23157-5\n\x0c                                        Recommendations\n\nWe recommend the following corrective actions:\n\n      Enforce PRISM Trial Balance Reconciliation review procedures in TP 11.1.\n      (IOD-202)\n\n      Amend PRISM Trial Balance Reconciliation review procedures in TP 11.1 to\n      establish a timetable to review variances in the PRISM Trial Balance Reconciliation.\n      (IOD-203)\n\n      Amend PRISM Trial Balance Reconciliation review procedures in TP 11.1 to require\n      that the reconciliations be imaged in IPS after supervisory review. (IOD-204)\n\n\n\n2.2    Lack of management review procedures\n       regarding Balancer Module Reconciliation.\n\nEach month after PBGC transfers the payment file to SSB and checks are issued, the PRISM\nBalancer Module automatically generates an exception report that lists discrepancies between\nPBGC\xe2\x80\x99s authorized and SSB\'s actual benefit payment amounts. The discrepancies are then\nassigned to PBGC staff to investigate. During our FY 2001 testing of PRISM Balancer Module\nreconciliations, we noted inconsistencies among the staff in maintaining the supporting\ndocumentation for management review. Specifically, some summary sheets did not have\nevidence of reviewer sign-off and some did not have \xe2\x80\x9ccorrective action taken\xe2\x80\x9d boxes checked off.\nFurthermore, some supporting documentation did not include the final resolution of the issue,\nyet was marked reviewed by the supervisor. If the supervisor reviewed the final resolution\nelectronically, it was not noted in the documentation.\n\nInconsistencies in and incompleteness of the PRISM Balancer Module reconciliation were a\ndirect result of a lack of step-by-step management review procedures. Currently PBGC\'s\nInsurance Operations Department (IOD) on-line procedures manual contains a procedure on\nresolving payment variances (TP 09.1) but does not establish management review procedures.\nEnhanced procedures will improve the efficiency and effectiveness of the management review\nprocess.\n\nLack of sound management review procedures defining the necessary supporting\ndocumentation to maintain and what areas in the summary sheet need to be completed before\nthe reconciliations can be passed on for management review is a control weakness and can\nhinder the efficiency and effectiveness of the management review process.\n\n\n\n\n                                                9\n\n                                                                                   2002-6/23157-5\n\x0c                                      Recommendations\n\nWe recommend the following corrective actions:\n\n       Document a review procedure of PRISM Balancer Module reconciliations and unify\n       the reconciliation documentation requirements by defining which print screens to\n       keep as evidence of final resolution of the discrepancy, and what areas need to be\n       completed in the summary sheets for management review. (IOD-205)\n\n       Establish monitoring criteria for PRISM Balancer Reconciliations by defining the\n       types of discrepancies that should be \xe2\x80\x9cflagged\xe2\x80\x9d by the staff and brought to\n       management\xe2\x80\x99s attention for follow-up action. (IOD-206)\n\n\n\n2.3    Reconciliations of benefit payments to\n       funding requests not performed timely\n       or reviewed.\n\nDuring our FY 2001 control testing related to accounting for benefit payments, we noted that\nreconciliations between benefit funding requests, prepared by PBGC and submitted to SSB,\nand actual benefits paid by SSB were not performed timely. Each of the twelve monthly\nreconciliations tested was performed from one month up to six months after the date of the\nfunding approval memorandum. In addition, none of the monthly reconciliations showed\nevidence of review and approval by an IOD supervisor.\n\nPBGC TP 30, Reconcile Funding to SSB with Actual Payments, requires that the Technical\nSupport Division Funding Reconciliation Administrator review the benefit funding documents\nsent by SSB to ensure the figures agree with the funding request, and then reconcile the\nfigures with PRISM payment ledgers. However, TP 30 does not specify timeliness or require\nsupervisory review and approval. If reconciliations of benefit funding requests to actual\nbenefits paid are not performed and reviewed in a timely manner, differences may not be\ndetected.\n\n\n\n                                       Recommendation\n\nWe recommend the following corrective action:\n\n       Amend TP 30.1 to include deadlines for completion of the monthly reconciliations\n       and to require supervisory review and approval. (IOD-207)\n\n\n\n\n                                                10\n\n                                                                                   2002-6/23157-5\n\x0c3.     Participants with incorrect pay status\n       in PRISM.\n\nDuring our FY 2001 testing at the Iowa and Wisconsin FBA sites, we noted that for 13 out of\n45 participants tested at the Iowa site and one out of 45 tested at the Wisconsin site, the pay\nstatus was incorrect. These participants had received a one-time lump-sum benefit payment\nand were not entitled to receive additional payments. However, PRISM continued to show their\npay status as \xe2\x80\x9cactive.\xe2\x80\x9d\n\nThe pay status change from \xe2\x80\x9cactive\xe2\x80\x9d to \xe2\x80\x9cinactive\xe2\x80\x9d within PRISM is partially automatic in that if\nthe payment amount is within five percent of the lump sum discriminator, preset by the\nsystem in accordance with the plan actuarial valuation, the participant\xe2\x80\x99s status will be\nchanged to \xe2\x80\x9cinactive.\xe2\x80\x9d If the payment amount is outside of the five percent threshold, then the\nstatus change has to be manually updated by the PRISM team. The IOD procedures do not\ndefine who is responsible for initiating and reviewing the manual changes from \xe2\x80\x9cactive\xe2\x80\x9d to\n\xe2\x80\x9cinactive\xe2\x80\x9d pay status.\n\nAlthough there are no future payments set up in the system, leaving the participants in an\nactive pay status may affect the Present Value Future Benefits (PVFB) actuarial calculations.\nThe PVFB is calculated for all participants in an active pay status and even though the\nactuaries generate exception reports prior to calculating PVFB, improper inclusion in the PVFB\ncalculation may still occur.\n\n\n\n                                       Recommendation\n\nWe recommend the following corrective action:\n\n       Implement monthly procedures to submit a list of inactive participants to the PRISM\n       team before the month-end cut-off to update the pay status to inactive and to verify\n       that the submitted changes were made. (IOD-208)\n\n\n\n4.     Participant data audits not properly\n       supported and reviewed.\n\nAudits of the completeness and accuracy of participant data (participant data audits) are\nprimarily performed by the Corporation to provide its actuaries with the information necessary\nto efficiently and accurately complete the plan valuations and to determine which plan\nparticipants are eligible for benefits. During our FY 2001 testing of the participant data audits,\nwe noted that the audit procedures performed and source documents examined were not\nclearly described or maintained in the audit reports reviewed.\n\nIn accordance with the IOD TP 12.7, \xe2\x80\x9call source documents traced to during the testing of the\ndatabase must be copied and placed in the audit work papers to support the confidence level\ncertified by the auditor or reviewer.\xe2\x80\x9d In addition, TP 12.8 specifically describes the auditing\nprocedures, sampling methodologies, and error classification methodologies to be followed.\n\n\n                                                11\n\n                                                                                   2002-6/23157-5\n\x0cIf the participant data audit reports are not in compliance with IOD TPs 12.7 and 12.8, it is\ndifficult for management to review the work performed and ensure that the objectives of the\naudits are met.\n\n\n\n                                      Recommendation\n\nWe recommend the following corrective action:\n\n       Modify TP 12.7 and 12.8 to require that the audit working papers be imaged,\n       including the sample selected, the database associated with the sample, all\n        sources used to test the sample and the errors found in the sample. (IOD-209)\n\n\n\n5.     Premium Policies and Procedures Need\n       to be Developed and Enforced.\n\nPBGC collects premiums from covered defined benefit pension plans to finance the\noperations. Premiums that are unpaid or underpaid are reflected as premiums\nreceivable. In our FY 2001 audit work, we noted untimely premium refunds and\ninconsistent application of the premium receivable allowance methodology.\n\n\n\n5.1    Premium refunds not authorized timely.\n\nDuring FY 2001 testing of premium refunds, we noted 15 out of 48 refunds (31%) were\nauthorized by PBGC ranging from four months to more than two years after the date of the\nrefund request.\n\nAccording to the 2000 PBGC Corporate Performance Measures reported in the 2000 Annual\nReport, management\'s goal is to \xe2\x80\x9cresearch and respond within 90 days to requests for premium\nrefunds\xe2\x80\xa6.\xe2\x80\x9d According to the 2001 PBGC Corporate Performance Measures reported in the\n2001 Annual Report, this measure was refined to define the ninety-day period to be \xe2\x80\x9c\xe2\x80\xa6from\nreceipt to completion of the request\xe2\x80\xa6.\xe2\x80\x9d\n\nPBGC has not made timely authorization and payment of refunds a priority. Although PBGC\nappears to be accounting for these refunds properly, untimely authorization of refunds delays\nthe payments to the plans and results in poor customer service.\n\n\n\n                                        Recommendation\n\nWe recommend the following corrective action:\n\n       Strengthen compliance with premium refund timeliness goals. (FOD-289)\n\n\n\n\n                                                12\n\n                                                                                 2002-6/23157-5\n\x0c5.2    Premiums receivable allowance\n       methodology not consistent.\n\nDuring our FY 2001 testing of the premiums receivable allowance for doubtful accounts, we\nnoted the method used to calculate the allowance has been changed through the years. PBGC\ncalculates its allowance using billing and collection information from past and current years.\nThe allowance calculation has been changed each year to include different amounts of\nhistorical information. For example, in FY 2001, the premium allowance estimate was\ncalculated using data from FY 1994 \xe2\x80\x93 2001, while in FY 2000, only five years of billing and\ncollection data was used.\n\nWe also noted that the method of determining the cash receipts amount is ineffective for the\npurposes of the allowance calculation. PBGC calculates the cash receipts amount by\nidentifying which payments were remitted along with returned Statements of Accounts (SOA).\nA SOA is mailed to a plan to alert the plan that it owes premiums, penalties and/or interest to\nPBGC. However, payments may be sent to PBGC in response to SOAs received, but are not\nidentified as SOA-related cash receipts because SOAs do not accompany the payments.\nTherefore, PBGC cannot determine an accurate total for the cash receipts amount that is used\nin its calculation of the SOA allowance.\n\nFrom our testing, it appears that PBGC does not consistently apply its allowance methodology.\nBy changing the allowance calculation used each year, the allowance is not comparable from\nyear to year. In addition, PBGC does not have the data to be able to calculate an accurate\ncash collections amount related to the SOA accounts receivable. If a plan does not mail its\nSOA in with its payment, PBGC is unable to determine if this amount relates to the SOA\naccounts receivable.\n\n\n\n                                      Recommendation\n\nWe recommend the following corrective action:\n\n       Adopt a methodology for the premiums receivable allowance calculation and apply\n       it consistently each year. (FOD-290)\n\n\n\n\n                                                13\n\n                                                                                 2002-6/23157-5\n\x0c6.     Information Technology Security and\n       Policies Need Strengthening.\n\nThe information security environment is dynamic. It requires constant attention and\nassessment to protect PBGC\xe2\x80\x99s information infrastructure and its business data. In our FY\n2001 audit testing, we noted several periodic reviews that are not being performed, the\ninformation security function responsibilities appear to be fragmented, and change control\nstandards are not consistently followed.\n\n6.1    Periodic risk assessments not performed.\n\nAs a result of our FY 2001 audit work, we noted that PBGC does not conduct regular risk\nassessments of its environment and business processes. This increases the potential for\nthreats and vulnerabilities affecting PBGC and its business applications. OMB Circular A-130,\nAppendix III, states:\n\n\n       Security efforts are better served by generally assessing risks and taking actions\n       to manage them, rather than continue to try to precisely measure risk. While\n       formal risk analyses need not be performed, the need to determine adequate\n       security will require that a risk-based approach be used. This risk assessment\n       approach should include a consideration of the major factors in risk\n       management: the value of the system or application, threats, vulnerabilities,\n       and the effectiveness of current or proposed safeguards.\n\nPBGC stated that they will begin to perform risk assessments on a regular basis from fiscal\nyear 2002 onwards. These risk assessments will be performed in-house by PBGC staff.\n\nIn the absence of an up-to-date risk assessment, effective security controls may not be\nimplemented to prevent or detect unauthorized or inappropriate access to PBGC systems and\ninformation. In addition, it would be difficult to determine the appropriate controls required to\nprotect data sensitivity, integrity, and resources.\n\n\n\n                                          Recommendations\n\nWe recommend the following corrective actions:\n\n       Develop and document specific policies and procedures to perform risk assessments of\n       business systems as required by OMB. (CTO-1)\n\n       Implement the established policies and procedures for completing risk assessments\n       to comply with OMB requirements. (CTO-2)\n\n\n\n\n                                               14\n\n                                                                                  2002-6/23157-5\n\x0c6.2    Continued improvements needed in\n       information security function.\n\nIn response to OIG audits of information security, PBGC has been implementing corrective\nactions to improve its information security program and practices. These included the\nappointment of an Information System Security Officer (ISSO). In our FY 2001 audit work, we\nnoted that PBGC\xe2\x80\x99s organizational structure as it relates to information security roles appears\nto be fragmented.\n\nThe National Institute of Standards and Technology (NIST) Special Publication 800-14,\nGenerally Accepted Principles and Practices for Securing Information Technology Systems, states\nin part:\n\n       The people who run the system security program should understand the\n       system, its mission, its technology, and its operating environment. Effective\n       security management needs to be integrated into the management of the\n       system. However, if a computer security program lacks appropriate\n       independence, it may have minimal authority, receive little management\n       attention, and have few resources.\n\nAlthough a single individual, the ISSO, has been designated as responsible for information\nsecurity, there exist a multitude of staffing and reporting lines for various security positions\nthroughout PBGC that have no direct reporting relationship to the ISSO. This increases the\nrisk that this role will become ineffective, as noted in NIST 800-14 above. At the present time,\nthis position appears to be lacking the needed authority and accountability to promote an\neffective security program for PBGC.\n\n\n                                           Recommendation\n\nWe recommend the following corrective action:\n\n       Improve the information security structure to provide for enhanced responsibility\n       and accountability. (IRMD-131)\n\n\n6.3    Periodic re-certification of PBGC\n       systems\xe2\x80\x99 user accounts not performed.\n\nSystem user accounts, commonly referred to as user IDs, determine the type and extent of\naccess to business systems granted to an individual user. As a result of our FY 2001 audit\ntesting, we noted that PBGC system user accounts are not periodically reviewed. PBGC has\nnot established a formal policy or procedure to perform periodic reviews of user accounts,\nusually referred to as re-certifications.\n\n\n\n\n                                                15\n\n                                                                                   2002-6/23157-5\n\x0cNIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing\nInformation Technology Systems, states:\n\n       It is necessary to periodically review user account management on a system.\n       Reviews should examine the levels of access each individual has, conformity\n       with the concept of least privilege, whether all accounts are still active, whether\n       management authorizations are up-to-date, whether required training has been\n       completed\xe2\x80\xa6.\n\nBy not performing periodic re-certifications, the risk is increased that employees may retain\naccess to systems they should not be authorized to use after they transfer positions or\nterminate employment with PBGC. This may diminish the integrity and reliability of data by\nincreasing the risk of destruction or inappropriate disclosure of sensitive data.\n\n\n                                          Recommendations\n\nWe recommend the following corrective actions:\n\n       Develop and document policies and procedures for the performance of periodic re-\n       certifications of PBGC systems\xe2\x80\x99 user accounts. (IRMD-132)\n\n        Implement periodic re-certifications of PBGC systems\xe2\x80\x99 user accounts.\n       (IRMD-133)\n\n\n\n6.4    Change control standards not\n       consistently followed.\n\nAt PBGC, various groups develop applications software. We noted during our FY 2001 testing\nthat the development groups do not consistently follow the change management standards.\nThese standards require the PBGC Change Management Group to review the Peregrine (change\nmanagement software package) records to see that access and change controls have been\nfollowed. This enables the Change Management Group to verify that changes have been\nappropriately approved. While reviewing change controls of the development groups for the\nIntegrated Present Value of Future Benefits (IPVFB) and the Premium Accounting System\n(PAS), we noted that their changes are not entered into Peregrine at the beginning of the\nchange cycle, as required.\n\nAdditionally, out of a sample of 17 changes tested, only one contained a documented\nSignificant Occurrences Report (SOR), as required. These reports are used to document and\ninform individuals attending the weekly change management meetings of upcoming changes.\nBased on our testing, we noted that formal SORs are not always submitted.\n\nNon-compliance or inconsistent adherence to existing policies, procedures, and standards\nincreases the risk of unauthorized changes, errors or irregularities in the production\nenvironment.\n\n\n\n                                               16\n\n                                                                                   2002-6/23157-5\n\x0c                                       Recommendation\n\nWe recommend the following corrective action:\n\n       Establish monitoring procedures to enforce compliance with existing change control\n       policies, procedures, and standards. (IRMD-134)\n\n\n\n7.     Multiemployer Non-recoverable Future\n       Financial Assistance Lacks Procedures.\n\nPBGC provides financial assistance to multiemployer plans, in the form of loans, to enable the\nplans to pay guaranteed benefits to participants and reasonable administrative expenses.\nThese loans are issued in exchange for interest-bearing promissory notes and constitute an\nobligation of the plan. The present value of non-recoverable future financial assistance\nrepresents the estimated non-recoverable payments that PBGC will provide in the future to\nmultiemployer plans that will not be able to meet their benefit obligations. In our FY 2001\naudit work we noted several weaknesses in PBGC\xe2\x80\x99s implementation of the financial assistance\nprogram.\n\n\n\n7.1    Actuarial data sources to calculate\n       NRFFA liability not periodically\n       evaluated.\n\nDuring our FY 2001 testing of the present value of the Multiemployer Non-recoverable Future\nFinancial Assistance (NRFFA) liability, we noted that a large number of the sample cases had\nold data sources, with source valuation dates as far back as 1985. For instance, one plan had\na 16-year-old data source, while another had a 14-year-old data source.\n\nCurrently, PBGC does not have a procedure to re-evaluate data sources on a periodic basis to\ndetermine if updated data sources are available and should be used. The older the data\nsource, the less credible the actuarial projections are. The impact could be either an overall\nincrease or decrease to the present value of the NRFFA liability. New valuations should be\nobtained or completed for the cases for which PBGC determines an updated data source is\nnecessary.\n\n\n\n                                       Recommendation\n\nWe recommend the following corrective action:\n\n       For cases with data sources more than five years old, implement a procedure to\n       determine whether 1) an updated data source would provide a more accurate\n       estimate of the NRFFA liability and 2) a valuation is available or can be completed\n       without a significant burden on resources. (IOD-210)\n\n\n\n                                                17\n\n                                                                                   2002-6/23157-5\n\x0c7.2    Promissory notes not safeguarded.\n\nDuring our FY 2001 testing of the NRFFA liability, we noted that the January \xe2\x80\x93 September\n2001 promissory notes and financial assistance disbursement documents were not filed in the\nGeneral Accounting Branch (GAB) vault to safeguard these assets. In addition, two of 56\noriginal promissory notes prepared for financial assistance payments were not found.\n\nPBGC has written procedures pertaining to safekeeping official PBGC documents that require\nsecurity and protection. However, these written procedures need to be strengthened to include\ntimely storage. Promissory notes and other documents not properly stored may be lost.\n\n\n\n                                        Recommendation\n\nWe recommend the following corrective action:\n\n       Revise the Controller Division Consolidated Procedures Manual to require that the\n       promissory notes and financial assistance disbursement documents are timely\n       placed in the General Accounting Branch vault, and sign-out logs are periodically\n       reviewed to ensure documents are returned timely. (FOD-291)\n\n\n\n8.     Investment Management Policies and\n       Procedures Are Needed.\n\nPBGC manages trust fund assets, which are comprised of assets received from terminated\npension plans that PBGC trustees. These trust fund assets are in several investment forms\nsuch as debt securities, equities, real estate, and commingled pooled funds. SSB is PBGC\xe2\x80\x99s\ncustodian for commingled trust fund assets. PBGC contracts with various investment\nmanagement firms to manage the assets, and oversees the investment managers to ensure the\nproper authorization of transactions and compliance with PBGC\xe2\x80\x99s investment policy. In our FY\n2001 audit work, we noted that PBGC needs to strengthen its oversight of derivatives, and\nprovide for regular Board of Director review of the investment policy.\n\n\n\n8.1    Derivative instruments not reconciled\n       and monitored periodically.\n\nDuring FY 2001 testing of derivatives, we noted that a reconciliation of the custodian (SSB) and\ninvestment managers\' (PIMCO and Wellington) derivative inventories had not been performed.\nThrough our testing, we noted minor unexplained discrepancies between the investment\nmanagers\' and SSB\xe2\x80\x99s valuations of options and currency forwards. We noted one of the\ncurrency forwards listed on the Wellington detail could not be found on the SSB detail.\nFinally, we noted unreconciled differences in the reporting of currency forwards.\n\n\n\n\n                                                18\n\n                                                                                  2002-6/23157-5\n\x0cIn our testing of PBGC\'s accounting for derivatives, we noted that reverse repurchase collateral\nwas erroneously classified as a "margin variation payable" by SSB. We noted the fair value of\nthe currency forwards had been inappropriately accounted for in accordance with SFAS 133,\nAccounting for Derivative Instruments and Hedging Activities.\n\nOMB Circular A-127, relating to financial management systems, states that "financial\nmanagement systems must be in place to process and record financial events effectively and\nefficiently, and to provide complete, timely, reliable, and consistent information.\xe2\x80\xa6"\n\nAdditionally, OMB Circular A-123 specifies that "management accountability is the expectation\nthat managers are responsible for the quality and timeliness of program performance,\nincreasing productivity, controlling costs and mitigating adverse aspects of agency operations,\nand assuring that programs are managed with integrity and in compliance with applicable\nlaw."\n\nThe pricing of options is performed using pricing models; SSB independently prices\ninvestments and differences may arise as a result. Other differences are due to a different\nrounding off of exchange rates and gross versus net presentation of the inventories. In\naddition, PBGC and SSB have not been meeting periodically to discuss the changing reporting\nneeds as new types of derivatives are purchased.\n\nWe noted that PBGC management relied heavily on the controls in place at SSB and the\ninvestment managers, PIMCO and Wellington, to properly account for its derivatives. PBGC\nreports its derivative activity in accordance with SSB\'s reports. This was due, in part, to PBGC\npersonnel not having the necessary training to fully understand the accounting for derivatives.\nBy relying on these outside parties without properly trained PBGC personnel monitoring and\nreviewing information provided, management increases the risk of inappropriately accounting\nfor and reporting derivatives.\n\n\n\n                                      Recommendations\n\nWe recommend the following corrective actions:\n\n       Provide the appropriate training to PBGC management and employees to\n       understand derivatives transactions, account for them properly, and disclose them\n       properly in the financial statements (FOD-292)\n\n       Actively monitor derivatives activity by monitoring SSB\'s accounting and reporting\n       activities. (FOD-293)\n\n       Reconcile SSB and the investment managers\xe2\x80\x99 derivative inventories and positions\n       monthly. (FOD-294)\n\n\n\n\n                                               19\n\n                                                                                   2002-6/23157-5\n\x0c8.2    Investment policy not periodically\n       approved by the Board of Directors.\n\nBased on our review, PBGC does not have a requirement for the Board to review and approve\nthe investment policy on a periodic basis. PBGC\'s current investment policy was approved by\nthe Board in 1994.\n\nSince 1994, the Board has changed twice, and the new Board has not formally reaffirmed the\nexisting investment policy. Furthermore, there have been changes in market conditions and\nthe accounting for certain investments (including changes to the definition of derivative\ninvestments) since 1994 that may have warranted a revisit and assessment to the current\ninvestment policy.\n\nBased on our review, PBGC\'s documented investment policy does not provide clear and\ncomplete provisions. For example, the investment policy states the following general\nguidelines:\n\n       PBGC\'s environment is dynamic. The philosophy incorporated herein is to allow\n       for sufficient flexibility in the management process to capture investment\n       opportunities as they may occur, yet set forth reasonable parameters to ensure\n       prudence and care in the execution of the investment program....Investment\n       decisions will be geared primarily to maximizing investment return within\n       acceptable levels of risk....prudent risk-taking is justifiable.\n\nThese statements alone do not provide clear guidance on the policy. The written policy is\nspecific regarding some investment matters and general on other matters. For example, the\nspecific guidelines within the investment policy state that "futures and options may be used for\nhedging purposes." However, the policy is unclear with respect to the use of derivatives for\nnon-hedging purposes and the use of active versus passive investment strategies.\n\nThe equivocality of the policy does not easily allow anyone to determine if PBGC is, in fact, in\ncompliance with its investment policy.\n\n\n\n                                       Recommendation\n\nWe recommend the following corrective action:\n\n       PBGC\xe2\x80\x99s Board of Directors should review and approve PBGC\xe2\x80\x99s investment policy\n       once every two years. (FOD-295)\n\n\n\n\n                                                20\n\n                                                                                   2002-6/23157-5\n\x0cTAB A\n\x0c                                                      Office of the Executive Director\n\n                                                              August 15, 2002\n\nTO:          Deborah Stover-Springer\n             Acting Inspector General\n\nFROM:        Steven A. Kandarian\n             Executive Director\n\nSUBJECT:     FY 2001 Financial Statement Audit -\n             Draft Management Letter Report 2002-6/23157-5\n\nWe appreciate the opportunity to respond to the subject draft report. As you can\nsee in the specific responses below, we agree with your recommendations and\nare actively pursuing corrective actions.\n\n1.    Classification of administrative expenses not properly supported.\n\nRecommendation 1: Develop a system to specifically identify limitation\nadministrative expenses and develop fiscal year budgets using the specific\nidentification methods.\n\nResponse: Agree. We have been considering changes in our budget\nmethodology, and we are currently vetting a draft of a new methodology among\nsenior staff, DOL and OMB. The changes contemplate a system that would be\nmore clearly aligned with our two major lines of business: pension insurance\nand termination of failed pension plans. The final structure of the new\nmethodology is dependent upon that clearance process.\n\nRecommendation 2: Provide documentation to support the accuracy of the\nallocation ratio and the propriety of designating administrative expenses as not\nbeing subject to limitation as defined in the appropriation law.\n\nResponse: Agree. As we have discussed with your office, we will address this\nrecommendation by implementing a new system, subject to the clearance process\nnoted above.\n\x0c2.1   PRISM Trial Balance Reconciliation not properly maintained and\nreviewed.\n\nRecommendation 3. Enforce PRISM Trial Balance Reconciliation review\nprocedures in TP 11.1.\n\nResponse: Agree. We concur with the finding and have initiated corrective\naction to ensure that Trial Balance reconciliations are properly maintained and\nreviewed in a timely manner. We will look into the practicality of imaging the\nreconciliations. The technical procedure in the IOD Manual is currently being\nreviewed and an update is pending. This response also applies to\nRecommendations No. 4 and 5 below.\n\nRecommendation 4. Amend PRISM Trial Balance Reconciliation review\nprocedures in TP 11.1 to establish a timetable to review variances in the PRISM\nTrial Balance Reconciliation.\n\nResponse: See comments under Recommendation No. 3 above.\n\nRecommendation 5. Amend PRISM Trial Balance Reconciliation review\nprocedures in TP 11.1 to require that the reconciliations be imaged in IPS after\nsupervisory review.\n\nResponse: See comments under Recommendation No. 3 above.\n\n2.2  Lack of management review procedures regarding Balancer Module\nReconciliation.\n\nRecommendation 6. Document a review procedure of PRISM Balancer Module\nreconciliations and unify the reconciliation documentation requirements by\ndefining which print screens to keep as evidence of final resolution of the\ndiscrepancy, and what areas need to be completed in the summary sheets for\nmanagement review.\n\nResponse: Agree. We concur with the finding and have initiated corrective\naction to include steps for documenting review procedures for Balancer\nreconciliations, and advising management on trends that may require additional\nmonitoring. This response also applies to Recommendation No. 7 below.\n\x0cRecommendation 7. Establish monitoring criteria for PRISM Balancer\nReconciliations by defining the types of discrepancies that should be "flagged" by\nthe staff and brought to management\xe2\x80\x99s attention for follow-up action.\n\nResponse: See comments under Recommendation No. 6 above.\n\n2.3   Reconciliations of benefit payments to funding requests not performed\ntimely or reviewed.\n\nRecommendation 8. Amend TP 30.1 to include deadlines for completion of the\nmonthly reconciliations and to require supervisory review and approval.\n\nResponse: Agree. We concur with the finding and have initiated corrective\naction to update the funding reconciliation procedures to establish a time frame\nfor completing the reconciliation and management review.\n\n3.    Participants with incorrect pay status in PRISM.\n\nRecommendation 9: Implement monthly procedures to submit a list of inactive\nparticipants to the PRISM team before the month-end cut-off to update the pay\nstatus to inactive and to verify that the submitted changes were made.\n\nResponse: Agree. We concur with the finding. An automated program\ncurrently exists to update records with lump sum pay-offs, and it is working as\ndesigned. We have generated a list of records meeting these criteria and have\ndetermined that a vast majority of the records were created prior to\nimplementing the automated status change program. We expect to complete\nour review of the list in the near future, and will correct the status of these\nrecords in the upcoming months.\n\n4.    Participant data audits not properly supported and reviewed.\n\nRecommendation 10: Modify TP 12.7 and 12.8 to require that the audit working\npapers be imaged, including the sample selected, the database associated with\nthe sample, all sources used to test the sample and the errors found in the\nsample.\n\nResponse: Agree. We concur with the finding and have initiated process\nevaluation efforts that will result in modifying the existing Participant Data\nAudit procedures to require that the audit working papers be imaged, including\nthe sample selected, the database associated with the sample, all sources used to\ntest the sample and the errors found in the sample.\n\x0c5.1   Premium refunds not authorized timely.\n\nRecommendation 11: Strengthen compliance with premium refund timeliness\ngoals.\n\nResponse: Agree. PBGC has taken steps in FY2002 to strengthen compliance\nwith the Corporation\'s premium refund timeliness goal of achieving 75% within\n90 days by fiscal year end. These actions have steadily improved the timeliness of\nrefunds being issued within 90 days from 26% as reported in the 2001 annual\nreport to 50% as of July 2002, fiscal year to date.\n\nRecent improvements are demonstrated by the fact that during the 3rd quarter\nFY2002, approximately 79% of newly received refund requests were processed\nwithin 90 days.\n\n5.2   Premiums receivable allowance methodology not consistent.\n\nRecommendation 12: Adopt a methodology for the premiums receivable\nallowance calculation and apply it consistently each year.\n\nResponse: Agree. We agree it is important to utilize a consistent methodology\nfor estimating the allowance for doubtful accounts. We have analyzed our\npremiums receivable allowance methodology and have determined that the\nhistorical information utilized in the analysis should be from the years premiums\nhave been processed in PAS (FY1994) to the present year. This approach is\nconsistent with the methodology used in FY 2001 and the methodology used in\nprior years except for FY 2000. We utilized a different methodology in FY 2000\n(five year average), but we determined that the methodology used in FY2001 and\nin years prior to FY 2000 would be more appropriate.\n\nBeyond FY 2002, the allowance methodology may be re-evaluated as we\nimplement premium data quality improvements and system enhancements,\nwhich could provide a new basis for the underlying assumptions.\n\n6.1   Periodic risk assessments not performed.\n\nRecommendation 13: Develop and document specific policies and procedures to\nperform risk assessments of business systems as required by OMB.\n\nResponse: Agree. IRMD will revise PBGC\xe2\x80\x99s information security policy to\nrequire that risk assessments consistent with OMB Circular A-130 be performed\nas a part of updating system security plans, and will provide guidance in\nperforming those risk assessments.\n\x0cRecommendation 14: Implement the established policies and procedures for\ncompleting risk assessments to comply with OMB requirements.\n\nResponse: Agree. The Chief Technology Officer (CTO) will implement the\nupdated policy and the guidance, and monitor compliance through the\nInformation Systems Security Officer (ISSO).\n\n6.2    Continued improvements needed in information security function.\n\nRecommendation 15. Improve the information security structure to provide for\nenhanced responsibility and accountability.\n\nResponse: Agree. July 2002, PBGC hired an Assistant Executive Director and\nChief Technology Officer (CTO). This position reports directly to PBGC\xe2\x80\x99s\nExecutive Director. PBGC\xe2\x80\x99s IRMD Department now reports to the CTO. One of\nthe CTO\xe2\x80\x99s responsibilities is overseeing the Information Security program.\nStarting the fourth quarter of FY 2002, the CTO plans to initiate the task\nof evaluating the roles and responsibilities of PBGC security staff and its\nmanagement structure. This effort will include clarification for lines of reporting,\naccountability, and the effectiveness of the program.\n\n6.3    Periodic re-certification of PBGC systems\xe2\x80\x99 user accounts not performed.\n\nRecommendation 16: Develop and document polices and procedures for the\nperformance of periodic re-certifications of PBGC systems\xe2\x80\x99 user accounts.\n\nResponse: Agree. PBGC expects to complete the implementation of a new\nprocess for managing system user accounts by July, 2003. The new process is\nbased upon job profiling and a cross-platform security application that is\ncentrally managed. The new process will include a re-certified baseline of user\naccounts.\n\nRecommendation 17: Implement periodic re-certifications of PBGC systems\xe2\x80\x99\nuser accounts.\n\nResponse: Agree. IRMD will re-certify all user accounts, based upon job profile,\nonce a year beginning in fiscal year 2004. The re-certification will be conducted\nin conjunction with the annual security assessment.\n\x0c6.4    Change control standards not consistently followed.\n\nRecommendation 18: Establish monitoring procedures to enforce compliance\nwith existing change control policies, procedures, and standards.\n\nResponse: Agree. Since October 2001, a detailed compliance report has\nbeen generated and is reviewed monthly by the IRMD Technical Infrastructure\nDivision (TID) manager. Starting October 2002, compliance reports by\nworkgroups will be generated and distributed to IRMD Division Managers and\ncontract program managers for review. Beginning in January 2003, the quarterly\nreports will begin reflecting Significant Occurrences Reporting (SOR)\ninformation.\n\n7.1   Actuarial data sources to calculate NRFFA liability not periodically\nevaluated.\n\nRecommendation 19. For cases with data sources more than five years old,\nimplement a procedure to determine whether 1) an updated data source would\nprovide a more accurate estimate of the NRFFA liability and 2) a valuation is\navailable or can be completed without a significant burden on resources.\n\nResponse: Agree. IOD concurs with the finding and has initiated corrective\naction. A draft of the revised procedures is currently in distribution for review.\n\n7.2    Promissory notes are not safeguarded.\n\nRecommendation 20: Revise the Controller Division Consolidated Procedures\nManual to require that the promissory notes and financial assistance\ndisbursement documents are timely placed in the General Accounting Branch\nvault, and sign-out logs are periodically reviewed to ensure documents are\nreturned timely.\n\nResponse: Agree. The original notes and financial assistance documents\n(security agreements) for the transactions in question were subsequently located.\nThe procedure\xe2\x80\x99s manual has been updated to reflect the current changes that\nrequire the staff to copy the note and file the original upon receipt. In addition,\nthe accountant responsible for financial assistance will annotate on the schedule\nof payments maintained for each plan the date the note and other documents\nwere filed. A log will be maintained for signing out and returning the\ndocuments to the vault.\n\x0c8.1    Derivative instruments not reconciled and monitored periodically.\n\nRecommendation 21: Provide the appropriate training to PBGC management\nand employees to understand derivatives transactions, account for them\nproperly, and disclose them properly in the financial statements.\n\nResponse: Agree. On June 17, 2002, FOD provided a comprehensive all day\nderivatives training Course. Ira G. Kawaler, Ph.D. (Executive Enterprise\nInstitute) conducted the training course on June 17, 2002. Dr. Kawaler is\ncurrently a member of the Financial Accounting Standards Board\xe2\x80\x99 s Derivative\nImplementation Group. Management and staff from the Controller Operations\nDivision, Policy and Procedures Control Division, Treasury Division, Financial\nOperations Department and State Street Bank attended the training. The training\nprovided: Derivative definition; Current market nomenclature and quoting\nconventions for derivative instruments; SFAS 133 accounting and derivative\ndisclosure requirements; Speculation vs. hedging; Types of derivative\ninstruments (e.g. futures contracts, forward contracts, options, swaps) and Types\nof hedges (e.g. fair value, cash flow); and, accounting requirements.\n\nRecommendation 22: Actively monitor derivatives activity by monitoring SSB\xe2\x80\x99s\naccounting and reporting activities.\n\nResponse: Agree. In May 2002, the Controller Operations Division Investment\nAccounting Branch (IAB) implemented a review and reconciliation process that\nrequires SSB and the investment manager to reconcile the derivative inventory\nand IAB to review the detail activity for the Commingled Fund and TWA each\nmonth. Any potential discrepancies and newly identified derivatives will be\nforwarded to the Financial Reporting and Account Analysis Group (monthly)\nand to the Controller (at minimum, quarterly) for review and concurrence. If a\nnew type of derivative is identified in this review process it will be added to the\nderivative inventory and SSB and the investment manager will be notified. The\nprocedures were updated and implemented during July, 2002.\n\nRecommendation 23: Reconcile SSB and the investment managers\xe2\x80\x99 derivative\ninventories and positions monthly.\n\nResponse: Agree. FOD is currently reviewing the SSB and investment manager\nreconciliation of the derivative inventories. The reconciliation includes the\nderivative inventory, share position, notional value and margin variation. This\nreconciliation is being done on a monthly basis as part of the established monthly\nreconciliation procedures performed by SSB and the investment managers. This\nprocedural change was developed in March 2002 and fully implemented in May\n2002.\n\x0c8.2   Investment policy not periodically approved by the Board of Directors.\n\nRecommendation 24: PBGC\xe2\x80\x99s Board of Directors should review and approve\nPBGC\xe2\x80\x99s investment policy once every two years.\n\nResponse: Agree. During FY 2003, the PBGC Board of Directors will review and\napprove PBGC\xe2\x80\x99s investment policy, and every two years thereafter.\n\x0c'